Security Boundary in Active Directory

[alanmott]

Hi all,

I'm interested in the forums views on where the Security Boundary exists in MS Windows Active Directory.

MS assert that this exists at the Forest level, as this is the only point at which a SysAdmin from one forest cannot acheive SysAdmin rights in another forest without those rights being explicitly granted.

Many text books and AD consultants however put this boundary at the domain level.

What is the consensus amongst AO security people?

At what point can I guarantee seperation of data, given that I want to keep rogue SysAdmins on one system/network gaining surreptitous access to data on another system/network?

Thanking you all in advance,

Alan Mott

[rapier57]

The security boundary exists at the forest. Even though the original intent (and as described in the original Win2K Resource Kit) was to set this border at the domain, there was a flaw in the design. So, in Win2K, the boundary exists at the forest. A domain administrator may be limited outside of the domain where the account is attached/created, the account still has rights and can manipulate/modify AD services up into the forest.

In Win2003, that is supposed to change slightly, so that the domain can be more secure.

I haven't seen anything further to suggest this is true or not, though. I will be playing in this sometime this Fall.